Issue 7: OAuth attacks, vulnerabilities in drones and kids’ watches

Issue 7: OAuth attacks, vulnerabilities in drones and kids’ watches

Vulnerabilities

This is as ugly as it gets: MiSafes kids’ watches allow accessing very specific information on a child, such as photo, gender, age, height, location, and even provide a remote microphone access. API calls are not secured by TLS and are open to Insecure Direct Object Reference (IDOR), meaning that as long as you have authenticated to the system and know the ids (which happen to be sequential) to use, you can get access to other users’ data because there are no authorization checks on objects. You can simply create an account and then iterate the family_id parameter and access all the watches out there. The Chinese manufacturer is not commenting on or fixing the vulnerability. It also looks like there are other cheap kids’ smartwatches using the same platform, and thus susceptible to the same vulnerability.

DJI dronesused to expose user data including flight logs, pictures, and videos. The problem was that the same cookie (that did not use HttpOnly flag) and the OAuth access token were used across all API clients, both web, mobile. This meant that once you got a user token from one DJI property, you could get access everywhere. Researchers created a Cross-Site Scripting (XSS) attack by planting a rogue link in DJI forums – any user clicking the link provided them the cookie to access all that user’s data.

Technology

OAuth 2.0 is one of the cornerstones of API security. Prabath Siriwardena has compiled a thorough catalog of possible OAuth 2.0 attacks, with details, examples, and ways to prevent the attacks. The catalog includes, for example, phishing, Identity Provider mixup, Cross Site Request Forgery (CSRF), token reuse, token leakage, open redirection, and code interception.

While we are at potential OAuth 2.0 vulnerabilities, the upcoming OAuth 2.0 Security Best Current Practice guide from IETF OAuth working group states that clients should not use the implicit grant because it is vulnerable to access token leakage. See the post for detailed discussion.

Conferences

Qualys has posted a summary of the recent talk by Gartner’s Mark O’Neill on “API Security: Enabling Innovation Without Enabling Attacks and Data Breaches” at Qualys Security Conference.